Add support for SSE-C encryption

[noonedeadpunk]

Changes implement 2 new flags --sse-customer-key and
--sse-copy-source-customer-key that can be used by user to
provide a key for server side encryption.

Once these options are set extra headers are added to request
accordingly to SSE-C specification [1]

This PR squashes and rebases on current master changes
implemented by @jheller

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-s3-c-encryption.html
Closes-Bug: #352

[noonedeadpunk]

This is WIP - while put and copy seems to work properly, get does not. Also patch missing tests atm. Fill fix this soon.

[noonedeadpunk]

Sorry for spamming - I thought it would be easier to test out locally, but eventually some things that were passing locally were failing in CI.

Now I believe patch is in usable shape so you're welcome to review it!

[noonedeadpunk]

I've just sorted imports - can revert them back

[fviard]

Sorry for spamming - I thought it would be easier to test out locally, but eventually some things that were passing locally were failing in CI.

Now I believe patch is in usable shape so you're welcome to review it!

Don't worry, it is always appreciated that you take the time to be sure that it is all good :-)

[fviard]

I think that you can simply do:
if "mtime" not in cfg.sync_checks:

[noonedeadpunk]

Yeah, wasn't changing that part from fork. Changed

[fviard]

(Same for other similar blocks)
You can give the value to hash directly to the md5 like md5(sse_customer_key).
So, I think that it will be cleaner if you pack everything in a single line and avoid temporary vars like:
b64(md5(key).digest())

[noonedeadpunk]

Done

[fviard]

I put the comment here, but same for all decode() and encode():
Even if the effect will be the same, it would be better to use the encode_to_s3() and decode_from_s3() instead.

[noonedeadpunk]

Done

[fviard]

Why do you add 172.17.0.1? localhost is not enough for github actions?

[noonedeadpunk]

Nah, it's not needed. it's just one of IPs minio listens on in CI, so just added all IPs while testing. Changed.

[fviard]

Thank you for your contribution.
I will need a little bit more time to review, but it looks very nice to me so far.

Your addition of "https" for the CI with certgen is a very good idea, i did not know about this tool.
Would it be possible that you extract this from this PR to put it in a separated one as it is a different subject?
Also, there is a little bit that surprise me, you don't setup the path to the certificates for Minio.
Does it use automatically certs generated with the same name from ~/.minio/certs forlder?

Also, to spare a few seconds of "cert" generation for nothing, maybe you can "cache" the generated certificates with certgen to avoid doing the expensive generation operation each time.

[noonedeadpunk]

@fviard Um, yes, I can extract SSL from this PR. Another good thing to extract would be fixing of extra-headers that are currently not applied for object get.

But tbh I don't know how in github I can make series of patches. Ie, for this PR to pass CI, it should be based on top of the one with SSL. I dunno how to submit such series based on top of each other in github (super easy thing to do in gerrit :D)
So to make these separate PR and all of them working and passing CI sound to me close to impossible or I just lack knowledge:( Unless you can quick merge it and I then will be able to just rebase on master...

Regarding ~/.minio/certs - that is default path and is loaded automatically. Eventually certio is developed by minio as well, so they make it super easy to use: https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html

[noonedeadpunk]

Also te be fair, seems like my patch is kind of duplicating #1083

[salanki]

Any movement on this one?